Drupal infections dropped slightly from 2% in Q3 2016 to 1.6% in 2017.

The main cause of infection is still the fact that the CMS installations are not properly updated.

At the end of Q3 2016, 61% of hacked WordPress sites recorded outdated installations, however, this has since decreased. In 2017, only 39.3% of clean up requests for WordPress had an outdated version.

Joomla! (84%) and Drupal saw more than a 15% decrease in outdated versions from the previous year, down to 69.8% and 65.3% respectively.

Similar to previous years, Magento websites (80.3%) were mostly out of date and vulnerable at the point of infection; though this number has declined over 13% since Q3 2016.

Bottomline: the siteowners seems to be learned the lesson, and the number of outdated sites are decreasing. But still not updating the sites causes the large majority of problems.

In our experience this is mainly caused by 3 major factors:

highly customized deployments,

issues with backward compatibility,

and lack of staff available to assist with the migration to newer CMS versions

These areas tend to foster upgrading and patching issues for the organizations that leverage popular CMSs for their websites, also resulting in potential incompatibility issues and impacts to the website’s availability. And here are coming into play the decisions (sometime bad ones, but mostly based on lack of expertise) made by the website owners.

In most cases this is originated in one single decision: to not choose to work with developers who are really mastering these CMS's. It is the responsability of the developer to guide the website owners towards building sustainable sites, eliminating from day zero backward compatibility problems, implementing solutions which are NOT jeopardizing the future upgrade paths.

Each website owner must be aware of these problems - and also must be aware of the risks assumed when the maintenance of the websites are neglected.